🥇Ilaalinta muddada ansaxinta shahaadooyinka gudaha Windows ee NetXMS

Dhowaan waxaa na soo food saartay hawsha la socodka muddada ansaxnimada shahaadooyinka server-yada Windows. Hagaag, sidaan u kacay ka dib markii shahaadooyinku u beddeleen bocorka dhowr jeer, wakhtigaas oo saaxiibkii gadhka ee masuulka ka ahaa cusbooneysiintooda ay ku jireen fasax. Intaa ka dib, aniga iyo isaga ayaa wax ka shakinay, waxaanu go'aansanay inaan ka fikirno. Maadaama aan si tartiib tartiib ah u hirgelineyno nidaamka la socodka NetXMS, waxay noqotay tan ugu weyn iyo, mabda'a, musharaxa kaliya ee hawshan.

Natiijada ugu dambayntii waxa lagu helay qaabkan soo socda:

Hawshuna way sii socotaa.

Tag NetXMS ma jiro miiska lagu dhisay ee shahaadooyinka dhacayo, marka waxaad u baahan tahay inaad adigu samaysato oo aad isticmaasho qoraallo si aad xogta ugu siiso. Dabcan, on Powershell, tani waa Windows. Qoraalku waa inuu akhriyaa dhammaan shahaadooyinka ku jira nidaamka hawlgalka, ka qaado taariikhda dhicitaankooda maalmo gudahood oo uu u gudbiyaa lambarkan NetXMS. Isagoo u maraya wakiilkiisa. Halkaas ayaan ka bilaabi doonaa.

Hal xulasho, ugu fudud. Si fudud u hel tirada maalmaha ilaa taariikhda ay dhacayso shahaadada oo leh taariikhda kuugu dhow.

Si server-ka NetXMS uu u ogaado jiritaanka halbeegyadayada caadada ah, waa inuu ka helaa wakiilka. Haddii kale, cabbirkan laguma dari karo maqnaanshihiisa awgeed. Sidaa darteed, faylka qaabeynta wakiilka nxagentd.conf waxaan ku darsannaa xarig xuduudeedka dibadda ah oo la yiraahdo HTTPS.CertificateExpireDateSimple, kaas oo aanu ku diiwaan gelinayno bilawga qoraalka:

ExternalParameter = HTTPS.CertificateExpireDateSimple: powershell.exe -File "servershareNetXMS_CertExpireDateSimple.ps1"

Iyadoo la tixgelinayo in qoraalka lagu bilaabay shabakada, waxaad u baahan tahay inaad xasuusato Siyaasadda fulinta, iyo sidoo kale ha iloobin kan kale "-NoLogo -NoProfile -NonInteractive", kaas oo aan ka tagay akhrinta koodka wanaagsan.

Natiijo ahaan, isku xidhka wakiilka wuxuu u eg yahay sidan:

#
# NetXMS agent configuration file
# Created by agent installer at Thu Jun 13 11:24:43 2019
#
 
MasterServers = netxms.corp.testcompany.ru
ConfigIncludeDir = C:NetXMSetcnxagentd.conf.d
LogFile = {syslog}
FileStore = C:NetXMSvar
SubAgent = ecs.nsm
SubAgent = filemgr.nsm
SubAgent = ping.nsm
SubAgent = logwatch.nsm
SubAgent = portcheck.nsm
SubAgent = winperf.nsm
SubAgent = wmi.nsm
 
ExternalParameter = HTTPS.CertificateExpireDateSimple: powershell.exe -File "servershareNetXMS_CertExpireDateSimple.ps1"

Taas ka dib, waxaad u baahan tahay inaad kaydiso config oo dib u bilaw wakiilka. Waxaad tan ka samayn kartaa NetXMS console: fur qaabeynta (Faylka qaabeynta wakiilka wax ka beddel), tafatir, samee Save & Codso, taas oo ka dhalatay, dhab ahaantii, wax la mid ah ayaa dhici doona. Ka dib dib u akhri qaabaynta (Poll> Configuration), haddii aanad lahayn awood aad ku sugi karto gabi ahaanba. Tallaabooyinkan ka dib, waa inaad awood u yeelatid inaad ku darto cabbirkayaga gaarka ah.

Gudaha NetXMS console tag Habaynta Xog Ururinta server-ka tijaabada ah kaas oo aan ku socono si aan ula socono shahaadooyinka oo aan ku abuurno halbeeg cusub halkaas (mustaqbalka, ka dib qaabeynta, waxay macno u leedahay in lagu wareejiyo qaababka). Liiska ka dooro HTTPS.CertificateExpireDateSimple, geli Sharaxa magac cad, u dhig nooca Integer oo habee inta u dhaxaysa codbixinta. Ujeedooyinka cilladaha, waxay macno samaynaysaa in la gaabiyo, 30 ilbiriqsi, tusaale ahaan. Wax walba waa diyaar, taasi waa ku filan hadda.

Waad hubin kartaa... maya, waa goor hore. Hadda, dabcan, waxba ma heli doono. Si fudud sababtoo ah qoraalka weli lama qorin. Aan saxno qaladkan. Qoraalku wuxuu si fudud u muujin doonaa lambar, tirada maalmaha ka harsan ilaa ay shahaadodu dhacayso. Inta ugu yar ee dhammaan la heli karo. Tusaale qoraalka:

try {
    # Получаем все сертификаты из хранилища сертификатов
    $lmCertificates = @( Get-ChildItem -Recurse -path 'Cert:LocalMachineMy' -ErrorAction Stop )
     
    # Если сертификатов нет, вернуть "10 лет"
    if ($lmCertificates.Count -eq 0) { return 3650 }
 
    # Получаем Expiration Date всех сертификатов
    $expirationDates = @( $lmCertificates | ForEach-Object { return $_.NotAfter } )
 
    # Получаем наиболее близкий Expiration Date из всех
    $minExpirationDate = ($expirationDates | Measure-Object -Minimum -ErrorAction Stop ).Minimum
 
    # Конвертируем наиболее близкий Expiration Date в количество оставшихся дней с округлением в меньшую сторону
    $daysLeft = [Math]::Floor( ($minExpirationDate - [DateTime]::Now).TotalDays )
 
    # Возвращаем значение
    return $daysLeft
}
catch {
    return -1
}

Waxay u egtahay sidan:

723 maalmood, ku dhawaad laba sano ayaa ka hadhay ilaa ay shahaadodu dhacayso. Waa macquul, sababtoo ah waxaan dib u soo saaray shahaadooyinka kursiga imtixaanka Sarrifka dhawaanahan.

Waxay ahayd doorasho fudud. Malaha, qof ayaa tan ku qanci doona, laakiin wax badan ayaan rabnay. Waxaan nafteena u dejinay hawsha ah inaan helno liiska dhammaan shahaadooyinka server-ka, magac ahaan, iyo in mid kastaa uu arko tirada maalmaha ka harsan inta ay shahaadodu dhacayso.

Doorashada labaad, xoogaa ka sii adag.

Mar labaad waxaanu tafatirnaa qaabaynta wakiilka oo halkaas, halkii xariiqda ExternalParameter, waxaanu qornaa laba kale:

ExternalList = HTTPS.CertificateNames: powershell.exe -File "serversharenetxms_CertExternalNames.ps1"
ExternalParameter = HTTPS.CertificateExpireDate(*): powershell.exe -File "serversharenetxms_CertExternalParameter.ps1" -CertificateId "$1"

В Liiska dibadda Kaliya waxaan helnaa liiska xargaha. Xaaladeena, liiska xargaha oo leh magacyo shahaado ah. Waxaan heli doonaa liis ka mid ah khadadkan anagoo adeegsanayna qoraalka. Liiska magaca - HTTPS.Magacyada Shahaadada.

Script NetXMS_CertNames.ps1:

#Список возможных имен сертификатов
$nameTypeList = @(
        [System.Security.Cryptography.X509Certificates.X509NameType]::SimpleName,
        [System.Security.Cryptography.X509Certificates.X509NameType]::DnsName,
        [System.Security.Cryptography.X509Certificates.X509NameType]::DnsFromAlternativeName,
        [System.Security.Cryptography.X509Certificates.X509NameType]::UrlName,
        [System.Security.Cryptography.X509Certificates.X509NameType]::EmailName,
        [System.Security.Cryptography.X509Certificates.X509NameType]::UpnName
)
 
#Ищем все сертификаты, имеющие закрытый ключ
$certList = @( Get-ChildItem -Path 'Cert:LocalMachineMy' | Where-Object { $_.HasPrivateKey -eq $true } )
 
#Проходим по списку сертификатов, формируем строку "Имя сертификата - Дата - Thumbprint" и возвращаем её
foreach ($cert in $certList) {
    $name = '(unknown name)'
    try {
        $thumbprint = $cert.Thumbprint
        $dateExpire = $cert.NotAfter
        foreach ($nameType in $nameTypeList) {
            $name_temp = $cert.GetNameInfo( $nameType, $false)
            if ($name_temp -ne $null -and $name_temp -ne '') {
                $name = $name_temp;
                break;
            }
        }
        Write-Output "$($name) - $($dateExpire.ToString('dd.MM.yyyy')) - [T:$($thumbprint)]"
    }
    catch {
        Write-Error -Message "Error processing certificate list: $($_.Exception.Message)"
    }
}

Oo horeba u galay ExternalParameter Waxaan ka soo galinaa safafka liiska ExternalList, iyo wax soo saarka waxaan helnaa tiro isku mid ah maalmo kasta. Aqoonsigu waa Suulka shahaadada. Ogow in HTTPS.CertificateExpireDate ay ka kooban tahay calaamad (*) kala duwananshiyahan. Tani waa lagama maarmaan si ay u aqbasho doorsoomayaasha dibadda, kaliya CertificateId our.

Qoraalka NetXMS_CertExpireDate.ps1:

#Определяем входящий параметр $CertificateId
param (
    [Parameter(Mandatory=$false)]
    [String]$CertificateId
)
 
#Проверка на существование
if ($CertificateId -eq $null) {
    Write-Error -Message "CertificateID parameter is required!"
    return
}
 
#По Thumbprint из строки в $CertificateId ищем сертификат и определяем его Expiration Date 
$certId = $CertificateId;
try {
    if ($certId -match '^.*[T:(?<Thumbprint>[A-Z0-9]+)]$') {
        $thumbprint = $Matches['Thumbprint']
        $certificatePath = "Cert:LocalMachineMy$($thumbprint)"
         
        if (Test-Path -PathType Leaf -Path $certificatePath ) {
            $certificate = Get-Item -Path $certificatePath;
            $certificateExpirationDate = $certificate.NotAfter
            $certificateDayToLive = [Math]::Floor( ($certificateExpirationDate - [DateTime]::Now).TotalDays )
            Write-Output "$($certificateDayToLive)";
        }
        else {
            Write-Error -Message "No certificate matching this thumbprint found on this server $($certId)"
        }
    }
    else {
        Write-Error -Message "CertificateID provided in wrong format. Must be FriendlyName [T:<thumbprint>]"
    }
}
catch {
    Write-Error -Message "Error while executing script: $($_.Exception.Message)"
}

Habaynta Xog-ururinta ee serferka, waxaanu abuurnaa halbeeg cusub. In Parameter-ka waxaan ku dooranaa our HTTPS.CertificateExpireDate(*) laga bilaabo liiska, iyo (fiiri!) u beddel calaamadda {tusaale}. Qodobkan muhiimka ah wuxuu kuu ogolaanayaa inaad abuurto miis gaar ah tusaale kasta (shahaadad). Inta soo hartay waxaa loo buuxiyay sidii nuqulkii hore:

Si aad u hesho wax aad ka abuurto xisaabiyeyaasha, tabka Discovery Tusaalaha waxaad u baahan tahay inaad liiska wakiilada ka doorato liiska Magaca Liistada ka geli magaca Liiskeena Dibadda ee qoraalka - HTTPS.CertificateNames.

Ku dhawaad diyaar, wax yar sug ama ku qas Ra'yi ururin> Habayn iyo Ra'yi ururin> Helitaanka tusaalaha haddii ay gebi ahaanba suurtogal ahayn in la sugo. Natiijo ahaan, waxaan helnaa dhammaan shahaadooyinkayaga oo leh waqtiyo ansax ah:

Maxaad u baahan tahay? Hagaag, haa, kaliya dirxiga qummanaanta ayaa eegaya Suulkan aan loo baahnayn ee magaca miiska oo leh indho murugo leh mana ii oggolaan inaan dhammeeyo maqaalka. Si aad u quudiso, fur guryaha miiska mar labaad iyo tabka Tusaha Discovery tab, ee goobta "tusaale discovery script script", ku dar kan ku qoran NXSL (NetXMS luqadda gudaha) script:

instance = $1;
 if (instance ~= "^(.*)s-s[T:[a-zA-Z0-9]+]$")
 {
 return %(true, instance, $1);
 }
 return true;

Kaas oo shaandhayn doona Suulka:

Iyo si loo muujiyo iyada oo la shaandheeyay, tabka Guud ee goobta Sharaxaada, beddel CertificateExpireDate: {tusaale} CertificateExpireDate: {tusaale-name}:

Taasi waa, ugu dambeyntii xariiqda dhamaadka ee KDPV:

Sow qurux maaha?

Waxa hadhay oo dhan waa in la diyaariyo digniinaha si ay ugu yimaadaan iimaylka marka ay shahaadodu dhacayso.

1. Marka hore waxaan u baahanahay inaan abuurno Template Event si aan u dhaqaajino marka qiimihiisu hoos u dhaco ilaa heer aanu dejinay. IN Habaynta Dhacdada aynu samayno laba qaab oo cusub oo magacyo ah sida Shahaadada Dhimista_Taariikhda_Threeshold_Dhaqdhaqaaq oo leh heerka digniinta:

iyo wax la mid ah CertificateExpireDate_Threshold_Defir oo leh xaalad caadi ah.

2. Marka xigta, tag guryaha miiska oo dhig marinka tabka Tresholds:

halkaas oo aan ka doorano dhacdooyinka noo abuuray CertificateExpireDate_Threshold_Activate iyo CertificateExpireDate_Threshold_Deactivate, deji tirada muunado (Samples) ilaa 1 (gaar ahaan miiska this ma jirto wax dhibic in dejinta dheeraad ah), qiimaha waa 30 (maalmo), tusaale ahaan, iyo, muhiim ah, dhigay wakhtiga ku celcelinta dhacdada. Shahaadooyinka wax soo saarka, waxaan dhigay hal mar maalintii (86400 ilbiriqsi), haddii kale waxaad ku qarqin kartaa ogeysiisyada (taas oo, habka, hal mar dhacay, si aad u badan in sanduuqa boostada uu buuxsamay dhammaadka wiigga). Waqtiga qaladka, waxay macno samaynaysaa in hoos loo dhigo, 60 ilbiriqsi, tusaale ahaan.

3. In Habaynta Action samee template warqad ogeysiin ah, sida tan:

Dhammaan kuwan %m,%S, iwm. - Macros kuwaas oo qiyamka laga soo bilaabo cabbirkayaga lagu beddeli doono. Waxaa lagu sifeeyay si faahfaahsan buug-gacmeedka NetXMS

4. Ugu dambeyntiina, isku darka qodobbadii hore, galay Siyaasadda Habaynta Dhacdada in la sameeyo xeer uu qorayo qaylo-dhaanta oo warqad loo diri doono:

Waxaan badbaadinaa siyaasadda, wax walba waa la tijaabin karaa. Aan dhigno marinka sare si aan u hubinno. Shahaadada iigu dhow waxay dhacdaa 723 maalmood gudahood, waxaan ka dhigay 724 si aan u hubiyo, Natiijo ahaan, waxaan helnaa alaarmiga soo socda:

iyo ogeysiiska iimaylkan:

Taasi waa hubaal hadda. Dabcan, way suurtogal noqon lahayd, in la sameeyo dashboard-ka oo la dhiso garaafyo, laakiin shahaadooyinka kuwani waxay ahaanayaan kuwo aan macno lahayn oo caajis ah, oo ka duwan garaafyada processor-ka ama culeyska xusuusta, tusaale ahaan. Laakiin, wax badan oo ku saabsan tan waqti kale.

Source: www.habr.com

Ka warhaynta taariikhda ay dhacayso shahaadada ee Windows ee NetXMS

Add a comment cancel reply